Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

nk497 writes "Conficker seems to finally be doing something, a week after hype around the worm peaked on April Fool's Day. It has now downloaded components from the Waledac botnet, which could contain rootkit capabilities. Trend Micro security expert Rik Ferguson said: 'These components have so far been missing, but could this finally be the "other boot dropping" that we have all been been waiting for?' Ferguson also suggested that people behind Conficker could be the very same who are running Waledac and created the Storm botnet. 'It tallies with some of the assumptions people have made about Conficker — that the first variant was actively trying to avoid the Ukraine because Waledac was Eastern European,' Ferguson added."

April 1 - 2009 Conflicker downloads and activates it evil payload. Computer screens all over the world go black with large red numbers counting down to....... something......

Do it like the many really bad computer hacker movies. That would simply be funny as hell. The raging panic from the easily panicked sheep, Fox news will report that Conflicker turns your computer into a bomb, etc....

I have never understood that stupid song. Everything she lists is unfortunate, or inconvenient, but not a single one is actually ironic. Maybe that's the irony. Or maybe that word doesn't mean what Alanis thinks it means.

I think of it differently. Han is an experienced criminal in Star Wars. Luke is still quite naive.

Han says that the MF made the Kessel run in less than twelve parsecs, obviously not a measure of time. Luke asks if that is fast. Han then knows that Luke is an interstellar NOOB. While not nice, this type of behavior was something that made Han Solo interesting in the first films. He went from a selfish smuggler that would have ejected his passengers in space to a selfless leader.

At my old apartment we had someone stealing gas on the peak of the market.Since my truck is crap it was an easy target. They stole almost an entire 30 gallon tank full.

I found out who it was by disconnecting my fill spout from the tank (and piping a new fill spout from the tool box in the bed), and putting in a mini tank on the OEM filler. Filled it with about 3 gallons of nitromethane and 2 gallons of diesel. All of a sudden one day this (asshat) ricer had his engine almost explode. It was quite funny.-nB

A friend of mine did similar. His vehicle has two 25 gallon gas tanks. So, he routed one so it filled up from a non-obvious location and the second tank he filled up with water and used a non locking gas cap. It was not uncommon to see more than the usual amount of dead cars in parking lots, especially during last year when the price of gas spiked.

Everyone was expecting that and was prepared for it. A week later, everyone's forgotten about it. Also with this timing if something starts going wrong now it will be difficult to get anyone to fix it until Tuesday.

In this case everyone was growing to expect just that, and would therefore be taking it seriously. Or at least people that could do something about it would. Now, since nothing much has happened people are lulled into a false sense of security and become lax or start considering the threat that something big was happening on 4/1 the real joke.

Now that the hype has supsided, what better time to strike? I think that dovetails nicely with GreggBZ's earlier post about the holiday weekend (for some of us).

Half the world writes it 4/1 the other half 1/4, the one you use doesn't make it any better then the one they use.It's a big world, you have to expect people to do things differently then you do...but then that would be thinking people are individuals and it's ok to be different

Half? About one twentieth of the world (by population) writes it month/day or month/day/year, in the so-called "middle-endian" form. The other nineteen twentieths mostly write it day/month or day/month/year, in the so-called "little-endian" form. The ISO 8601 standard is the "big-endian form" year-month-day which is used in a few countries.http://en.wikipedia.org/wiki/Date_format#Date_format [wikipedia.org]

Then again, I remember the Coalition Of The Willing well, how Micronesia, Belize and Palau had sent half their military to Iraq (I think it was what, 7 soldiers between them?), so "people were for us". (One wonders if they would have if the US hadn't threatened to withhold aid, but that's getting even more off-topic...)

One of the major causes of the Potato famine in Ireland was the reliance on a single product (the potato) and an inability to shift to a more varied diet. Things like ILoveYou and Conflicker are preying on exactly the same homogeneous environment as they know that hitting one element yields massive results.

Now given that this homogeneity has been driven in part via a convicted monopolist then it really is interesting how little political attention this gets. Arguably these sorts of attacks are more of a modern challenge than "traditional" terrorism and against a background of economic woe we can all do without a bunch of companies getting taken offline for a few days or suffering from industrial espionage.

We don't learn from history, we don't apply history to new cases we just stand back in amazement after letting homogeneity develop at the impact that a relatively simple flaw can have across a large group of people.

>Yeah, because obviously the answer is to have a hundred different systems
>with a hundred different sets of vulnerabilities. That will be much easier
>to keep patched.
well, actually, this really is the answer - you never get rid of vulnerabilities but you can put enough variation in them that specialised viruses become less effective.

Or, since the barrier to entry is so low as far as blackhats are concerned, ALL systems end up being more insecure and virus-ridden and no one benefits.

Or virus-writers will pick, instead of the top 1, the top 5, or the top 50% of systems, and target those. Unless it were a truly heterogeneous network, with every single person having their own hand-crafted OS and application set, there will be viruses because people, dammit, want to see the dancing bunnies.

Why would you need to patch if nobody has a clue about how to attack your system?

well, actually you got a point but you come at it from the wrong angle.

The problem is that thanks to the net, EVERY COMPUTER IS THE SAME. Internet capable...

Effecticly, this is to sexually transmitted virusses as all of us screwing everyone else at the same. The internet is a gangbang of computers.

What this leads to is that no matter how obscure your OS and the bugs on it, someone somewhere will know about it and have, thanks to the sheer size of the net, have thousands if not hundreds of thousands of targets.

There may not be many amiga's left but if they were all infected, it would still be a nice botnet.

Why would you need to patch if nobody has a clue about how to attack your system?

Because if even one system in your heterogeneous environment is exploitable you have just given them an easy backdoor to the rest of your system. If all systems aren't patched up you've only created a false sense of security and you've increased your maintenance costs many magnitudes higher for some "security through obscurity" scheme.

Because if even one system in your heterogeneous environment is exploitable you have just given them an easy backdoor to the rest of your system

Sure, if your sysadmin is an idiot. If one box being compromised results in full access to all boxes on the network, your system is poorly designed. Unless, perhaps, that one box is an LDAP/AD server or something.

Sure, if your sysadmin is an idiot. If one box being compromised results in full access to all boxes on the network, your system is poorly designed.

Strawman argument. No where in my statement did I say anything about having full access to every other box on the network through that one node. But, once an attacker has an inlet into the network they can then move on to compromise other systems which may have greater access to other parts of the network. The simple fact of the matter is that the systems on the network are going to have to have some level of access to each other otherwise there is no point in networking them up together.

I run an unpatched machine with an obscure system that some friend of mine wrote. Probably anything but secure, knowing his code, but oddly, no spyware, no malware, no nothing. Why? Because it's no market either.

When you have a hundred systems all having an equal market share, any given threat can only infect 1% of the existing machines (provided they are not binary compatible). That is economically uninteresting for the malware businesses.

"Yeah, because obviously the answer is to have a hundred different systems with a hundred different sets of vulnerabilities. That will be much easier to keep patched"

Well, at least then things like Conficker would be stopped dead in their tracks, and a vulnerability in a particular system wouldn't lead to the kind of thing like the currrent virus/spam/phishing epidemic.

Why? It is often only necessary to attack the weakest link in the chain. To get inside a company network and copy documents available to employees, for example, only one employee workstation needs to be subverted. That is easier if there are several different systems running - just pick the crappest one and exploit that.

Of course, it's arguable that the one system which is widely deployed in a monoculture today is in fact that one crappest a

His point was that you don't need to keep things patched as regularly if you have a wider variety of OSes because there will be less people finding vulnerabilities, less incentive to exploit them,and less hackers writing worms for a given OS.

That is the definition of 'security through obscurity'. I would not want to run an insecure system and hope to be safe because nobody else had heard about it. True security means using well-known and peer-reviewed code (but not 'well known to be crap').

Except in such a case you just have to exploit one box and you get access to the rest. There went all your brilliant planning and schemes.

No, you would probably just get access to the one box (and others identical to it). You generally would not get access to the other boxes, unless they share essentially the same vulnerability. GP's point was that a monoculture can be devastated by a single assault, but a mixed ecosystem is much more difficult to damage severely.

Minor clarification of GP post: the potato crop in Ireland in the 1840s was dominated by a single variety of potato - the Lumper - which exacerbated the effect of a single strain of potato blight. The equivalent in computers would be all PCs running the same version of Windows with the same selection of programs, patches and protections: a disaster waiting to happen.

There are two programs included with Windows versions (XP and newer) that do pretty much this. sigverif.exe which verifies every file's signature, and sfc.exe which will compare installed Windows files against service pack files and will copy from OS media any files that have been changed or are missing.

Aside from pointing out the flaws in your analogy, and the fact a patch was released four months before this exploit arrived, I think you are overlooking the massive systemic benefits of homogeny.

One could argue that computing and the Internet would not be as ubiquitous as they are today without having had a defacto standard. There is an even stronger argument at the cost savings to businesses and governments in not having to train and retrain new employees on how to use numerous computer systems.

there is no excuse for leaving production systems unpatched for four months.

We have a particular set of servers for an application, and the company that made the software in question (FujiFilm's Synapse PACS) does not want patches installed on those servers, or the workstations that run the client app until they confirm it doesn't conflict with their software. Thankfully, this particular patch was approved, but there are other MS patches that have not been approved in over a year (or there was when I last checked, anyway). Similarly, some other devices (like an Ultrasound machine

The problem isn't homogeneity, since if the full of the big three OSs carried a 1/3rd of the market, malware devs would just pick on and stick to it, evening out the load. this would actually make defense harder, since you'd have to cover all three.

The problem is end users not knowing squat about security or safety (with a heaping helping of the main OS out there being rather patchy in security).

With an educated user, most computers are almost completely secure. Most viruses, worms, etc.. rely on the use

I think your anglophobic ranting has blinded you to the OP's statement and argument.

One of the major causes of the Potato famine

[emphasis added]

The reliance on a single product - the potato - was unquestionably one of the major factors behind the famine. The fact that this reliance had socio-political factors as its root cause is totally besides the point. The fact is that the poorest people were reliant on the ubiquitous crop as their winter staple, and that ubiquity is what allowed one blight to cause

Because Open Source is standards based development encoded into the practice. Like, there's only one Linux kernel, only one C compiler, only one bash shell.. only one Perl, only one Java... the whole concept of Open Source revolves around a brief period of competition followed by univers

Like, there's only one Linux kernel, only one C compiler, only one bash shell.. only one Perl, only one Java...

You are correct that there are only one Linux kernel, but there are other free [debian.org] UNIX kernels [debian.org] you could use instead. When it comes to compilers both LLVM [llvm.org] and GCC [gnu.org] are widely used. (LLVM is used in Gallum3D [tungstengraphics.com], the new acceleration architecture for X, and in Shark [java.net], a CPU agnostic JIT for OpenJDK. A C frontend [llvm.org] not based on GCC is in development) There are many shells. Ubuntu, a quite popular Linux distro, actually uses dash [wikipedia.org] as default/bin/sh. While it's true that only OpenJDK (if I recall correctly) passes the TCK for Java you also have competing implementations like Harmony [apache.org], what Google uses on Android. You have more competition on the parts of the Java stack that takes less [gnu.org] time [cacaovm.org] to implement.

I think your anglophobic ranting has blinded you to the OP's statement and argument.

There's nothing anglophobic about it.

First off, I'm not expressing any kind of fear, therefor, there's no phobia. In fact, if someone says, they do not like gays, whites, or spiders, they are not homophobic, white-o-phobic, or spider-phobic. Dislike is not caused by fear. So let's burst that bubble.

Secondly, merely stating history is, well, telling the truth. The British treated the Irish like dirt for a long time. I thi

to be fair, the British government didn't deliberately starve the Irish, instead they were proponents of 'free market forces'. They didn't have supermarkets or microwave readymeals in those days, so a staple foodstuff like the potato was pretty much all you ate anyway. Of course, if you were rich you could afford meat - like the cattle raised in Ireland for English tables. The landlords got richer and the poor stayed poor.

The trouble was that the blight reduced the number of potatoes in circulation, and as other people were richer, they could afford to pay more - and so the farmers shipped their potatoes to the richer people, leaving the peasants to starve. As has always been the way.

Incidentally the British didn't deliberately starve the people - after they'd woken up to the trouble, they did ship in large amounts of aid and close the ports to food exports. Too late for most of course, but don't get incompetence confused with conspiracy.

There's been too much FUD about the potato famine, I suppose spread for modern political reasons. The truth is just dull, the government took a 'light touch' approach to the markets. Unfortunately this approach to 'hands off' free-trade doesn't give what society requires, with such lax input from governments, the free market doesn't always work correctly and you have monopolies appearing and abusing the freedom that should be providing a better set of choices. For computers, its no good saying "you could run Linux" if everyone needs to run Windows because of the ubiquity of software running on it.

Protectionism is the last thing you want, when you get that, you invite stagnation. There's no innovation of growth, the established parties simply try to maintain their market with what they've got. Developing new products is a significant cost - and without free trade getting in the way and allowing new entrants to the market, there's no incentive to spend. Of course you might get new upstarts appearing, but that happens so rarely, and most of them are small and get killed off by the established big players either by being bought out (name any MS product really) or having their market destroyed (eg IE v Netscape).

Ultimately the government needs to step in and support open standards, making sure everyone works with them. Then you can have much better spread of heterogeneous systems as they would work together, giving people the ability to choose an alternative to the dominant product.

Incidentally the British didn't deliberately starve the people - after they'd woken up to the trouble, they did ship in large amounts of aid and close the ports to food exports.

As you say, there has been a great deal of bunk written about the Hunger in Ireland in the late 1840s. However, you may have added to it.

Irish ports were closed to food exports in the previous famine in 1783, but not at any time in the 1840s or 1850s. Ireland remained an exporter of food (mostly grain & cattle) in great quantity during the Hunger. What food aid arrived in Ireland was the result of charities, not the British government. In fact, the British attempted to prevent food aid from arriving from some other countries. http://en.wikipedia.org/wiki/Great_Irish_Famine [wikipedia.org]

There was also a lesser famine in Scotland at the same time, caused by the same over-reliance on potatoes which were hit by potato blight. http://en.wikipedia.org/wiki/Highland_Potato_Famine [wikipedia.org] This caused great hardship in the Highlands, but food aid provided directly by the British government meant there were relatively few deaths from starvation or malnutrition-related diseases.

I think it has counter measures against it too. It is not a trivial VBasic junk. It is one of the most advanced professional worms to date.Even basic shareware has counter measures against messing with clock like that.Don't forget that it is not only local code, it gets payload with p2p. So if you can fool it with date, you won't be able to fool the host part.

You have to understand the difference. On one hand you have software written by professionals with high skill, a good quality control, nice paychecks and other motivations, strict deadlines and a quite professional, ambitious and goal focused leadership.

You certianly can man in the middle attack it. slowly skew the time with your own NTP server.. then look to where it's going to ask for it's next feeding and then attack that vector. and yes you CAN attack a P2P distribution vector.

The AC is confused though; researchers did all of that, they even have some sort of access to the randomly generated domain list (I get the impression that they have the algorithm, rather than doing some sort of playforward attack as is being discussed here) that is checked for downloads. The core issue is that there had not been anything to download, so all they were able to do was (potentially) confound the operators.

I would go so far as to say that they have been attacking the p2p vector, but since it re

First of all, I'm sure that the payload itself wasn't made available until the last minute.

Second, if it were me who wrote the virus, I would have written it to *start* looking for a payload, start looking in no particular place, and continue looking until it's been found. Considering that it's getting its payload from an established botnet, it could just be poking around looking for machines that can give it its payload and the payload wasn't made available until today.

When you have control of as many machines as the Storm or Waledac botnets, the world really is your oyster. You're not restricted by IPs, and if your botnet is large enough, you can just iterate through addresses looking for a system that has your payload for you. Without access to the botnet or the payload, it doesn't matter how much you reverse engineer or adjust your clock, you just can't predict what will happen in the future.

When you realize you are uncontrollably in love with someone? That you and this person sitting beside you are soul mates? That you were meant for each other?

That moment for me came a few weeks ago. Yes, my wife and I have been married several years, but she was a Windows user when we met. Sure, she'd grown up in a diverse family - both Macs and PCs, but most of her experience was on Windows.

About a year ago I replaced Windows with Ubuntu on the family laptop. She kind of grudgingly went along with it.

Then, last week we were watching the news when the anchor broke the story of conficker. Without missing a beat, she turned to me and in roll-your-eyes-I-can't-believe-they're-so-stupid kind of voice said:

"That's a Windows thing, isn't it?"

"Yep," I replied.

"Hmmm. Sucks to be them, I guess..."

Linux evangelists take note: sometimes it takes people *years* to come around. But when they do, when they realize they no longer have to WORRY about viruses and other Windows-specific crap, it's priceless.

See, if you're going to go all political and off-topic, you should at least try and make some sort of attempt to link it to the story at hand...

for example...

If you look at the facts the conficker virus and waladac botnet are CLEARLY parts of a vast left wing conspiracy which is obviously fronted by obama because the democrats want to take as much of your processing power as they do your income

It actually happens all the time: worms and viruses often knock each others out, because each of them is competing for scarce resources (like outbound bandwidth, hooks to the keyboard etc.). There's no reason why a white-hat worm shouldn't exist.
The Worm-Wars have already begun.